Category: Hijack
Posted by Andree Toonk - December 12, 2017 - Hijack
Early this morning (UTC) our systems detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System. Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing […]
Read More
Posted by Andree Toonk - April 27, 2017 - Hijack
The world of BGP routing is a fascinating place with lots of interesting BGP events happening every day. It can be challenging to keep track of it all and so two years ago we started the BGPstream website where we keep track of large scale outages and BGP hijacks. We list the events, basic info and visualize […]
Read More
Posted by Andree Toonk - April 22, 2016 - Hijack
April 23, Update: NOC Team at innofield posted an explanation of the Incident in the comments section below. Starting today at 17:09 UTC our systems detected a large scale routing incident affecting hundreds of Autonomous systems. Many BGPmon users have received an email informing them of this change. Our initial investigation shows that the scope […]
Read More
Posted by Andree Toonk - November 6, 2015 - Hijack
BGP hijacks happen every day, some of them affect more networks than others and every now and then there’s a major incident that affects thousands of networks. Our monitoring systems keep an eye out for our users and if you would like to have a general idea of what’s going on in the world of […]
Read More
Posted by Andree Toonk - July 12, 2015 - Hijack
By Andree Toonk and Dhia Mahjoub As part of the Hacking Team fall out and all the details published on Wikileaks, it became public knowledge that Hacking Team helped one of their customers Special Operations Group (ROS), regain access to Remote Access Tool (RAT) clients. As first reported here: http://blog.bofh.it/id_456 ROS recommended using BGP hijacking […]
Read More
Posted by Andree Toonk - March 27, 2015 - Hijack
Earlier today many BGPmon users received one or more alerts informing them that their autonomous system (AS) started to announce a more-specific prefix. BGPmon classified many of these alerts as possible BGP man-in-the-middle (MITM) attacks. Here is an example alert: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com — […]
Read More
Posted by Andree Toonk - February 17, 2015 - BGPmon.net, Hijack
Over the last year we have seen and written about numerous BGP routing incidents that looked out of the ordinary, straight-up suspicious or were just configuration mistakes. In this blog post we will highlight a few of them and look at the impact and cause of each of the observed incidents and try to determine […]
Read More
Posted by Andree Toonk - December 9, 2014 - Hijack
The Syrian national Telecommunications Establishment (STE) has been in the news numerous times over the last few years, mostly because of the long lasting large scale Internet outages in Syria. This morning however we observed a new incident involving the two Autonomous systems for STE (AS29386 and AS29256). Starting at 08:33 UTC we detected that hundreds of […]
Read More
Posted by Andree Toonk - September 3, 2014 - Hijack
It’s long been assumed that Spammers use a technique called IP squatting to get around IP reputation lists and to make it harder to find the real source of the spammers. In this blog we’ll take a closer look at Spam operations and their techniques. IP Squatting We’ve all read the reports about IPv4 running […]
Read More
Posted by Andree Toonk - August 12, 2014 - Hijack
A few days ago researchers at Dell SecureWorks published the details of an attacker repeatedly hijacking BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin miners and Bitcoin mining pools. They estimated that $83,000 was made with this […]
Read More
Posted by Andree Toonk - April 3, 2014 - Hijack, News and Updates
Today we observed a large-scale ‘hijack’ event that affected many of the prefixes on the Internet. This blog post is to provide you with some additional information. What happened? Indosat, AS4761, one of Indonesia’s largest telecommunication networks normally originates about 300 prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new […]
Read More
Posted by Andree Toonk - March 29, 2014 - Hijack, News and Updates
At BGPmon we see numerous BGP hijacks every single day, some are interesting because of the size and scale of the hijack or as we’ve seen today because of the targeted hijacked prefixes. It all started last weekend when the Turkish president ordered the censorship of twitter.com. This started with a block of twitter by […]
Read More
Posted by Andree Toonk - March 30, 2013 - BGP instability, Hijack
It’s been a busy week for network engineers world wide, rerouting around broken optical links and of course the 300Gb/s DDOS attack towards Spamhaus and Cloudflare. This DDOS has been classified as the largest DDOS attack ever recorded and has been written about quite a bit in mainstream media. There’s been a bit of discussion […]
Read More
Posted by Andree Toonk - January 8, 2013 - Hijack, News and Updates
Just a few days ago we learned about an incident involving a mis-issued SSL certificate that was used in a Man in the Middle attack to intercept Gmail data. In this blog post we’ll talk about how Man in the Middle (MITM) attacks work and we’ll look at recent BGP MITM event that caused traffic […]
Read More
Posted by Andree Toonk - October 3, 2011 - Hijack
F-Root DNS server moved to Beijing Systems such as DNS (root) servers often rely on anycast technology to improve availability and response time. The idea behind anycast is that the same prefix is announced from multiple geographically separated systems. As a result the client should always end-up at the closest (as seen from a BGP […]
Read More
Posted by Andree Toonk - March 26, 2011 - Hijack
Many of you remember the story of about a year ago, when we reported that a Chinese network was announcing a significant part of the prefixes on the Internet. Networks affected by this incident included big names such as dell.com and cnn.com as well as U.S. government (.gov) and military (.mil) sites, including those for […]
Read More
Posted by Andree Toonk - January 19, 2011 - Hijack, IRR, RPKI
Securing BGP has been on the todo list of the IETF and the community at large for many years. Over the years we’ve seen several proposals, the Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundemental problems. It allows us to verify whether an Autonomous […]
Read More
Posted by Andree Toonk - January 15, 2011 - Hijack
This is just a quick post to address some of the emails I’ve received today. Quite a bit of BGPmon.net users have received a notification regarding a possible hijack of their address space. On Friday January 14th AS4761, INDOSAT-INP-AP, started to originate a large number of new prefixes. A quick check show that AS4761 originated […]
Read More
Posted by Andree Toonk - November 21, 2010 - Hijack
China denies hijacking a huge chunk of US net traffic
Internet Traffic from U.S. Government Websites Was Redirected Via Chinese Networks
Read More
Posted by Andree Toonk - August 23, 2010 - Hijack
BGP hijacks happen every day, the majority of them don’t affect a large geographic region and only are noticed a small number of users. Every now and then however we see an event that affects many users, either because of the geographic scale or simply because of the specific prefix that is affected. The latter […]
Read More
Posted by Andree Toonk - April 8, 2010 - Hijack
This morning many BGPmon.net users received an alert regarding a possible prefix hijack by a Chinese network. AS23724 is one of the Data Centers operated by China Telecom, China’s largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes […]
Read More
Posted by Andree Toonk - October 10, 2009 - Hijack
Friday morning around 07:22:08 UTC AS9035 (Wind Telecomunicazioni) started to announce approximately 85.000 prefixes with an invalid origin AS. The origin AS was set to AS9035 while these prefixes did not belong to AS9035. The impact was local to a number of Italian providers, all Telecom Italia customers. The incident was resolved in about ~2 […]
Read More
Posted by Andree Toonk - May 11, 2009 - Hijack
This morning there was a discussion about a possible prefix hijack by AS13214 on the Nanog list. Cyclops users received a notification email notifying them that AS13214 was announcing their prefix. I just went trough some of the raw data and this is what I found. It seems it was picked up by the route-views4 […]
Read More
Posted by Andree Toonk - November 25, 2008 - BGPmon.net, bogons, Hijack, IPv6
I am happy to announce that BGPmon now has full IPv6 support! This means that you can now monitor your IPv6 prefixes just as you are monitoring your IPv4 prefixes. All the codes, alarm messages etc are they same as for IPv4. It took a while because I had to write a few new libraries […]
Read More
Posted by Andree Toonk - November 11, 2008 - Hijack
Many BGPmon.net users received a notification email regarding a possible prefix hijack. I just went over the data files manually and verified the leak. For those interested, let me share with you what I saw in the raw data. Between 01:55 UTC and 02:15 267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes […]
Read More